Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware on 2 PC in office


  • This topic is locked This topic is locked
13 replies to this topic

#1 Vector23

Vector23

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 21 June 2012 - 05:58 PM

Hello,

thanks in advance for the help on tracking down what this piece of malware is.

We have 2 PC's in our office out of about 150 that are exhibiting the following symptoms:

Open google -> perform a search for, for example: this friday vs next friday

click on a result, usually the first one goes through to the searched result page without issue

click the back button, pick another result from the list of search results and get redirected to one of several websites.

the first PC that was reported to us as having issues was re-ghosted and the malware infection was found to remain after the ghosting and it will be the one we will be running any tests on.

The second PC was in our Accounting Department and contains sensitive data and I aggressively attempted to clean and identifiy the malware with a battery of Malware Bytes, TDSS Killer, COmbofix, and several others scan but found nothing noteworthy. However, the symptoms point to some kind of well hidden and new varient of TDSS or another root kit.

Attached is the DDS log well as the results of the GMER scan.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by AdminHSI at 14:39:50 on 2012-06-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1664 [GMT -7:00]
.
AV: McAfee® Security-as-a-Service Anti-virus *Disabled/Updated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Automatic Update\AutoUpdateGUI.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\mmc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080201
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080201
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120320082441.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: amadeus.com\content
Trusted Zone: amadeus.net\content.1a
Trusted Zone: amadeuscruise.com
Trusted Zone: amadeuscruise.com\*
Trusted Zone: amadeusferry.com\*
Trusted Zone: amadeusproweb.com
Trusted Zone: amadeusproweb.com\*
Trusted Zone: amadeusvista.com
Trusted Zone: amadeusvista.com\*
Trusted Zone: amadeusvista.com\Muc.http.farm6.software
Trusted Zone: amadeusvista.com\Muc.http.farm8.software
Trusted Zone: amadeusvista.com\Muc.https.farm11.software
Trusted Zone: amadeusvista.com\Muc.https.farm5.software
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {051FE707-9706-11D5-A836-000102A7C938} - hxxp://certificates.amadeusvista.com/sgwadmin/common/AutoUpdateATL33P110.CAB
DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} - hxxp://diagnostic.amadeus.com/TravelAgencies/Cabs/DS_Diagnostic.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265914352868
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265914340774
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} - hxxp://diagnostic.amadeus.com/TravelAgencies/Cabs/CCCert_Info.CAB
DPF: {F96020DD-C373-44A0-82B6-064EF0AEEAE3} - hxxp://certificates.amadeusvista.com/sgwadmin/RegSiteTools.cab
TCP: DhcpNameServer = 192.168.0.8 192.168.0.3
TCP: Interfaces\{AB74E388-AB3F-4D3D-B581-BDB0404F3DFA} : DhcpNameServer = 192.168.0.8 192.168.0.3
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\800\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll
Hosts: 10.10.0.124 apdemo.advantageprogram.net
Hosts: 10.10.0.14 www.advantageprogram.net
Hosts: 10.10.0.14 advantageprogram.net
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\y9lt8rl9.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-2-19 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-19 89792]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-1 150856]
R2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2008-2-19 190016]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-11-7 1581512]
R3 MfeAVFK;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-2-19 180816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-1 166288]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-2-19 291328]
S2 RumorServer;McAfee Peer Distribution Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-2-19 291328]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 257696]
S3 MfeBOPK;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-2-19 59456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-19 87656]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-2-11 34248]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-15 129976]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2009-11-17 10688]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-21 21:27:06 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2012-06-21 21:26:48 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2012-06-21 21:18:37 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Sun
2012-06-21 21:13:32 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2012-06-21 21:13:17 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-05-29 20:07:51 -------- d-----w- c:\windows\pss
2012-05-25 20:40:57 -------- d-----w- c:\program files\Oracle
2012-05-25 20:40:48 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-25 00:05:35 -------- d-----w- c:\windows\ie8updates
2012-05-25 00:05:01 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-05-25 00:05:01 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-05-25 00:05:01 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-05-25 00:04:40 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-05-24 23:06:15 -------- dc-h--w- c:\windows\ie8
2012-05-24 23:03:18 -------- d-----w- c:\program files\MSXML 4.0
2012-05-24 22:57:43 -------- d-----w- c:\windows\system32\winrm
2012-05-24 22:57:43 -------- d-----w- c:\windows\system32\GroupPolicy
2012-05-24 22:57:39 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-05-24 22:53:41 139784 ------w- c:\windows\system32\dllcache\rdpwd.sys
2012-05-24 22:53:40 3072 ------w- c:\windows\system32\iacenc.dll
2012-05-24 22:53:40 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-05-24 22:52:38 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-05-24 22:52:15 105472 ------w- c:\windows\system32\dllcache\mup.sys
2012-05-24 22:51:03 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2012-05-24 22:50:58 45568 ------w- c:\windows\system32\dllcache\wab.exe
2012-05-24 22:50:46 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
2012-05-24 22:50:46 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2012-05-24 22:50:46 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2012-05-24 22:50:34 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2012-05-24 22:42:19 -------- d-----w- c:\program files\Auslogics
2012-05-24 22:29:22 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-24 22:29:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-24 22:23:48 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
.
==================== Find3M ====================
.
2012-06-01 20:23:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-01 20:23:46 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 16:43:23 16339280 ----a-w- C:\Firefox Setup 12.0.exe
2012-05-11 16:06:47 151552 --sha-r- c:\windows\system32\zh-TW0.dll
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-05 01:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 14:40:18.67 ===============


=============================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-21 15:55:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST380815 rev.4.AD
Running: bedzsn7r.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxlyyfob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE34C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE34D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE3500]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE3556]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE34AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE3484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE3498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE34EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE352C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE3516]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE3580]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE356C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE3540]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B1C 7 Bytes JMP B9DE3544 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2042 7 Bytes JMP B9DE355A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E50 5 Bytes JMP B9DE3570 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C0636 5 Bytes JMP B9DE3530 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB456 5 Bytes JMP B9DE3488 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6E2 5 Bytes JMP B9DE349C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D22D8 5 Bytes JMP B9DE3584 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622548 7 Bytes JMP B9DE351A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806239F8 7 Bytes JMP B9DE34EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623FD6 5 Bytes JMP B9DE34C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80624472 7 Bytes JMP B9DE34D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80624642 7 Bytes JMP B9DE3504 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806253B4 5 Bytes JMP B9DE34B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA3D76A00]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 025D000A
.text C:\WINDOWS\system32\services.exe[768] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 025D0FDE
.text C:\WINDOWS\system32\services.exe[768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 025D0FEF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025C000A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025C009A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025C0089
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025C0FAF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025C006C
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025C0FD4
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025C0F88
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025C00D0
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025C00EB
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025C0F5C
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025C00FC
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025C005B
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025C0FEF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025C00BF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025C0036
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025C0025
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025C0F6D
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02600FC0
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02600058
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02600FD1
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02600011
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02600F9B
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02600000
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02600047
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02600036
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025F0F97
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 025F0022
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025F0FC3
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025F0FEF
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025F0FB2
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025F0FDE
.text C:\WINDOWS\system32\services.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025E0000
.text C:\WINDOWS\system32\lsass.exe[780] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\lsass.exe[780] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D60014
.text C:\WINDOWS\system32\lsass.exe[780] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50076
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F8B
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50F9C
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D5005B
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50F4E
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50F5F
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500B1
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F18
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50EFD
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50F70
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F33
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10047
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10076
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10FAF
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10FC0
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10FDB
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D8003B
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80FB0
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8000C
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FE3
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80FC1
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FD2
.text C:\WINDOWS\system32\lsass.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AC001E
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AC0FDE
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AB0F48
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AB0F59
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AB0F80
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AB0F9B
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AB002C
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AB0078
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AB0F26
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AB0093
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AB0EF0
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AB00AE
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AB003D
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AB0FDB
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AB0F37
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AB0FCA
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AB0F15
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F00FC0
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F00F6F
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F00011
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F00F80
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F00F9B
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [10, 89]
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F00022
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0F9C
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0FB7
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE001D
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FC8
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F30
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F4B
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F13
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0076
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0EE7
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0087
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB004A
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0EF8
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0080
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0065
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[1032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F90
.text C:\WINDOWS\system32\svchost.exe[1032] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC6
.text C:\WINDOWS\system32\svchost.exe[1032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FA1
.text C:\WINDOWS\system32\svchost.exe[1032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02750FEF
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0275000A
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02750FDE
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02740FE5
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02740076
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0274005B
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02740F8D
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02740F9E
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0274002F
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02740F4E
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02740F5F
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027400B8
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02740F29
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027400C9
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02740040
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02740FD4
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02740F70
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02740014
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02740FC3
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027400A7
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027A0FD4
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027A0FA8
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027A002F
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027A0FEF
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027A0FB9
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027A0000
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 027A005B
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027A0040
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0278004E
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 02780FCD
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02780033
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0278000C
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02780FDE
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02780FEF
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0277000A
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 02760000
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 0276001B
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 0276002C
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 02760FD1
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00960022
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00960011
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0095005E
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00950F5F
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00950F86
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00950043
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00950FAB
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00950F38
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00950080
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009500B6
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00950F1D
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00950F02
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00950032
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00950FDE
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0095006F
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00950FBC
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00950FCD
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0095009B
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00990076
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00990FCA
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0099005B
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00990FAF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B9, 88]
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00990036
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00980FB2
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 0098003D
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00980011
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00980022
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00980FD7
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A20FC3
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A100B8
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1009D
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10082
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10065
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F8D
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100F7
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100E6
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F39
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A1004A
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A100C9
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FDE
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F68
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FB6
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90040
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F83
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90F94
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FA5
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40044
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40033
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40FDE
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A40018
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F6D
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900062
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F94
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900051
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0090008E
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0090007D
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F10
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000A9
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900EFF
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900040
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900F5C
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F2B
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0014
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[1600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1600] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0F90
.text C:\WINDOWS\system32\svchost.exe[1600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FB5
.text C:\WINDOWS\system32\svchost.exe[1600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[1600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\svchost.exe[1600] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1600] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1600] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1600] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[1600] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF
.text C:\WINDOWS\Explorer.EXE[3660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\Explorer.EXE[3660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FDE
.text C:\WINDOWS\Explorer.EXE[3660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F83
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0078
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B005B
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F50
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F61
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00C4
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F2B
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F10
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B004A
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F72
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002F
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\Explorer.EXE[3660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00B3
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0073
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0058
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[3660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A002C
.text C:\WINDOWS\Explorer.EXE[3660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FB7
.text C:\WINDOWS\Explorer.EXE[3660] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0042
.text C:\WINDOWS\Explorer.EXE[3660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\Explorer.EXE[3660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0027
.text C:\WINDOWS\Explorer.EXE[3660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B000C
.text C:\WINDOWS\Explorer.EXE[3660] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[3660] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\Explorer.EXE[3660] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\Explorer.EXE[3660] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 002D0FA8
.text C:\WINDOWS\Explorer.EXE[3660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 25 June 2012 - 02:18 PM

hmm, its been almost the 4 days that is says is the average reply time, so I'm going to bump it for a reminder. . . and to make sure my watch this topic feature is working.

Edited by Vector23, 25 June 2012 - 02:19 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,901 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 AM

Posted 26 June 2012 - 10:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with this.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 26 June 2012 - 06:01 PM

15:21:25.0187 3640 TDSS rootkit removing tool 2.7.42.0 Jun 25 2012 21:18:44
15:21:25.0187 3640 ============================================================
15:21:25.0187 3640 Current date / time: 2012/06/26 15:21:25.0187
15:21:25.0187 3640 SystemInfo:
15:21:25.0187 3640
15:21:25.0187 3640 OS Version: 5.1.2600 ServicePack: 3.0
15:21:25.0187 3640 Product type: Workstation
15:21:25.0187 3640 ComputerName: PCTRAVEL20
15:21:25.0187 3640 UserName: AdminHSI
15:21:25.0187 3640 Windows directory: C:\WINDOWS
15:21:25.0187 3640 System windows directory: C:\WINDOWS
15:21:25.0187 3640 Processor architecture: Intel x86
15:21:25.0187 3640 Number of processors: 2
15:21:25.0187 3640 Page size: 0x1000
15:21:25.0187 3640 Boot type: Normal boot
15:21:25.0187 3640 ============================================================
15:21:26.0046 3640 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:21:26.0046 3640 Drive \Device\Harddisk1\DR3 - Size: 0x1D11B0000 (7.27 Gb), SectorSize: 0x200, Cylinders: 0x3B4, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:21:26.0062 3640 ============================================================
15:21:26.0062 3640 \Device\Harddisk0\DR0:
15:21:26.0062 3640 MBR partitions:
15:21:26.0062 3640 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x94E7137
15:21:26.0062 3640 \Device\Harddisk1\DR3:
15:21:26.0062 3640 MBR partitions:
15:21:26.0062 3640 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0xE86E00
15:21:26.0062 3640 ============================================================
15:21:26.0093 3640 C: <-> \Device\Harddisk0\DR0\Partition0
15:21:26.0093 3640 ============================================================
15:21:26.0093 3640 Initialize success
15:21:26.0093 3640 ============================================================
15:22:19.0734 3668 ============================================================
15:22:19.0734 3668 Scan started
15:22:19.0734 3668 Mode: Manual;
15:22:19.0734 3668 ============================================================
15:22:19.0875 3668 Abiosdsk - ok
15:22:19.0890 3668 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
15:22:20.0000 3668 abp480n5 - ok
15:22:20.0031 3668 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:22:20.0046 3668 ACPI - ok
15:22:20.0062 3668 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:22:20.0062 3668 ACPIEC - ok
15:22:20.0125 3668 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys
15:22:20.0312 3668 ADIHdAudAddService - ok
15:22:20.0406 3668 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:22:20.0531 3668 AdobeFlashPlayerUpdateSvc - ok
15:22:20.0578 3668 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
15:22:20.0671 3668 adpu160m - ok
15:22:20.0781 3668 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:22:20.0796 3668 aec - ok
15:22:20.0843 3668 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:22:20.0984 3668 AFD - ok
15:22:21.0000 3668 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
15:22:21.0000 3668 agp440 - ok
15:22:21.0015 3668 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
15:22:21.0015 3668 agpCPQ - ok
15:22:21.0046 3668 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
15:22:21.0156 3668 Aha154x - ok
15:22:21.0171 3668 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
15:22:21.0265 3668 aic78u2 - ok
15:22:21.0265 3668 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
15:22:21.0375 3668 aic78xx - ok
15:22:21.0406 3668 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
15:22:21.0406 3668 Alerter - ok
15:22:21.0437 3668 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
15:22:21.0437 3668 ALG - ok
15:22:21.0468 3668 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
15:22:21.0562 3668 AliIde - ok
15:22:21.0593 3668 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
15:22:21.0593 3668 alim1541 - ok
15:22:21.0703 3668 Amadeus Automatic Update (129b6b3f2b088aec7ce2572dbbf5a688) C:\Program Files\Automatic Update\AutoUpdate.exe
15:22:21.0828 3668 Amadeus Automatic Update - ok
15:22:21.0859 3668 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
15:22:21.0859 3668 amdagp - ok
15:22:21.0890 3668 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
15:22:21.0984 3668 amsint - ok
15:22:22.0031 3668 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
15:22:22.0046 3668 AppMgmt - ok
15:22:22.0078 3668 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
15:22:22.0187 3668 asc - ok
15:22:22.0187 3668 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
15:22:22.0281 3668 asc3350p - ok
15:22:22.0312 3668 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
15:22:22.0406 3668 asc3550 - ok
15:22:22.0453 3668 ASFIPmon (6295dd28d0ecbc4e6e450c279fef5ed9) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
15:22:22.0578 3668 ASFIPmon - ok
15:22:22.0703 3668 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
15:22:22.0859 3668 aspnet_state - ok
15:22:22.0890 3668 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:22:22.0890 3668 AsyncMac - ok
15:22:22.0921 3668 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:22:22.0921 3668 atapi - ok
15:22:22.0937 3668 Atdisk - ok
15:22:22.0953 3668 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:22:22.0968 3668 Atmarpc - ok
15:22:23.0000 3668 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
15:22:23.0000 3668 AudioSrv - ok
15:22:23.0046 3668 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:22:23.0062 3668 audstub - ok
15:22:23.0062 3668 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
15:22:23.0156 3668 b57w2k - ok
15:22:23.0203 3668 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
15:22:23.0296 3668 BASFND - ok
15:22:23.0343 3668 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:22:23.0343 3668 Beep - ok
15:22:23.0406 3668 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
15:22:23.0421 3668 BITS - ok
15:22:23.0468 3668 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
15:22:23.0468 3668 Browser - ok
15:22:23.0500 3668 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
15:22:23.0500 3668 cbidf - ok
15:22:23.0500 3668 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:22:23.0500 3668 cbidf2k - ok
15:22:23.0531 3668 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
15:22:23.0609 3668 cd20xrnt - ok
15:22:23.0640 3668 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:22:23.0640 3668 Cdaudio - ok
15:22:23.0687 3668 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:22:23.0703 3668 Cdfs - ok
15:22:23.0718 3668 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:22:23.0718 3668 Cdrom - ok
15:22:23.0734 3668 Changer - ok
15:22:23.0781 3668 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
15:22:23.0796 3668 CiSvc - ok
15:22:23.0812 3668 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
15:22:23.0812 3668 ClipSrv - ok
15:22:23.0843 3668 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:22:24.0078 3668 clr_optimization_v2.0.50727_32 - ok
15:22:24.0156 3668 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:22:24.0265 3668 clr_optimization_v4.0.30319_32 - ok
15:22:24.0281 3668 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
15:22:24.0296 3668 CmdIde - ok
15:22:24.0296 3668 COMSysApp - ok
15:22:24.0328 3668 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
15:22:24.0343 3668 Cpqarray - ok
15:22:24.0375 3668 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
15:22:24.0375 3668 CryptSvc - ok
15:22:24.0406 3668 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
15:22:24.0421 3668 dac2w2k - ok
15:22:24.0437 3668 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
15:22:24.0546 3668 dac960nt - ok
15:22:24.0609 3668 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
15:22:24.0609 3668 DcomLaunch - ok
15:22:24.0656 3668 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
15:22:24.0671 3668 Dhcp - ok
15:22:24.0671 3668 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:22:24.0687 3668 Disk - ok
15:22:24.0687 3668 dmadmin - ok
15:22:24.0765 3668 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:22:24.0828 3668 dmboot - ok
15:22:24.0828 3668 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:22:24.0843 3668 dmio - ok
15:22:24.0859 3668 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:22:24.0875 3668 dmload - ok
15:22:24.0890 3668 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
15:22:24.0890 3668 dmserver - ok
15:22:24.0906 3668 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:22:24.0906 3668 DMusic - ok
15:22:24.0937 3668 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
15:22:25.0015 3668 Dnscache - ok
15:22:25.0046 3668 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
15:22:25.0078 3668 Dot3svc - ok
15:22:25.0093 3668 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
15:22:25.0109 3668 dpti2o - ok
15:22:25.0140 3668 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:22:25.0140 3668 drmkaud - ok
15:22:25.0171 3668 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
15:22:25.0265 3668 E100B - ok
15:22:25.0281 3668 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
15:22:25.0296 3668 EapHost - ok
15:22:25.0328 3668 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
15:22:25.0328 3668 ERSvc - ok
15:22:25.0375 3668 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:22:25.0390 3668 Eventlog - ok
15:22:25.0453 3668 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
15:22:25.0453 3668 EventSystem - ok
15:22:25.0484 3668 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:22:25.0500 3668 Fastfat - ok
15:22:25.0531 3668 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:22:25.0546 3668 FastUserSwitchingCompatibility - ok
15:22:25.0562 3668 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
15:22:25.0578 3668 Fax - ok
15:22:25.0578 3668 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:22:25.0593 3668 Fdc - ok
15:22:25.0640 3668 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:22:25.0640 3668 Fips - ok
15:22:25.0656 3668 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:22:25.0656 3668 Flpydisk - ok
15:22:25.0703 3668 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:22:25.0718 3668 FltMgr - ok
15:22:25.0890 3668 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:22:25.0890 3668 FontCache3.0.0.0 - ok
15:22:25.0953 3668 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:22:25.0953 3668 Fs_Rec - ok
15:22:25.0984 3668 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:22:26.0000 3668 Ftdisk - ok
15:22:26.0093 3668 GoToAssist (b525671abc9d24176e3e557d0fd87c10) C:\Program Files\Citrix\GoToAssist\800\g2aservice.exe
15:22:26.0187 3668 GoToAssist - ok
15:22:26.0234 3668 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:22:26.0234 3668 Gpc - ok
15:22:26.0296 3668 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:22:26.0296 3668 HDAudBus - ok
15:22:26.0375 3668 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:22:26.0375 3668 helpsvc - ok
15:22:26.0375 3668 HidServ - ok
15:22:26.0421 3668 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:22:26.0421 3668 HidUsb - ok
15:22:26.0453 3668 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
15:22:26.0468 3668 hkmsvc - ok
15:22:26.0500 3668 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
15:22:26.0578 3668 hpn - ok
15:22:26.0625 3668 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:22:26.0625 3668 HTTP - ok
15:22:26.0671 3668 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
15:22:26.0687 3668 HTTPFilter - ok
15:22:26.0718 3668 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
15:22:26.0718 3668 i2omgmt - ok
15:22:26.0734 3668 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
15:22:26.0750 3668 i2omp - ok
15:22:26.0750 3668 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:22:26.0750 3668 i8042prt - ok
15:22:26.0828 3668 IAANTMON (6ac8ac8e3b413fa1ee8256e65fe0ba72) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
15:22:27.0046 3668 IAANTMON - ok
15:22:27.0343 3668 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
15:22:27.0578 3668 ialm - ok
15:22:27.0703 3668 iaStor (bdc361489a7f22e568060fa6fb3c960e) C:\WINDOWS\system32\drivers\iaStor.sys
15:22:27.0703 3668 iaStor - ok
15:22:27.0875 3668 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:22:28.0062 3668 idsvc - ok
15:22:28.0093 3668 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:22:28.0093 3668 Imapi - ok
15:22:28.0156 3668 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
15:22:28.0171 3668 ImapiService - ok
15:22:28.0203 3668 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
15:22:28.0296 3668 ini910u - ok
15:22:28.0312 3668 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
15:22:28.0328 3668 IntelIde - ok
15:22:28.0359 3668 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:22:28.0359 3668 intelppm - ok
15:22:28.0390 3668 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:22:28.0390 3668 Ip6Fw - ok
15:22:28.0437 3668 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:22:28.0437 3668 IpFilterDriver - ok
15:22:28.0453 3668 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:22:28.0468 3668 IpInIp - ok
15:22:28.0484 3668 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:22:28.0484 3668 IpNat - ok
15:22:28.0500 3668 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:22:28.0515 3668 IPSec - ok
15:22:28.0515 3668 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:22:28.0515 3668 IRENUM - ok
15:22:28.0531 3668 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:22:28.0531 3668 isapnp - ok
15:22:28.0640 3668 JavaQuickStarterService (5472d771c0197355c1d347f20392b982) C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
15:22:28.0765 3668 JavaQuickStarterService - ok
15:22:28.0781 3668 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:22:28.0796 3668 Kbdclass - ok
15:22:28.0843 3668 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:22:28.0843 3668 kbdhid - ok
15:22:28.0859 3668 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:22:28.0875 3668 kmixer - ok
15:22:28.0921 3668 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:22:28.0937 3668 KSecDD - ok
15:22:28.0984 3668 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
15:22:28.0984 3668 lanmanserver - ok
15:22:29.0000 3668 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
15:22:29.0015 3668 lanmanworkstation - ok
15:22:29.0015 3668 lbrtfdc - ok
15:22:29.0062 3668 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
15:22:29.0062 3668 LmHosts - ok
15:22:29.0156 3668 McShield (a521cd131a5b0f8554213eece0870824) C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
15:22:29.0281 3668 McShield - ok
15:22:29.0343 3668 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
15:22:29.0375 3668 MDM - ok
15:22:29.0421 3668 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
15:22:29.0437 3668 Messenger - ok
15:22:29.0468 3668 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
15:22:29.0578 3668 mfeapfk - ok
15:22:29.0593 3668 MfeAVFK (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
15:22:29.0703 3668 MfeAVFK - ok
15:22:29.0703 3668 mfeavfk01 - ok
15:22:29.0734 3668 MfeBOPK (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
15:22:29.0843 3668 MfeBOPK - ok
15:22:29.0890 3668 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
15:22:30.0109 3668 mfehidk - ok
15:22:30.0125 3668 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
15:22:30.0234 3668 mferkdet - ok
15:22:30.0265 3668 MfeRKDK (820d6aa3f7f0cfa8a1fa8f63d3f1df04) C:\WINDOWS\system32\drivers\MfeRKDK.sys
15:22:30.0375 3668 MfeRKDK - ok
15:22:30.0421 3668 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
15:22:30.0515 3668 mfetdi2k - ok
15:22:30.0546 3668 mfetdik (3812e49fa67a3f604895f0d0c2e1ef90) C:\WINDOWS\system32\drivers\mfetdik.sys
15:22:30.0640 3668 mfetdik - ok
15:22:30.0687 3668 mfevtp (92472abbb3771bfb70df7a484f53b97c) C:\WINDOWS\system32\mfevtps.exe
15:22:30.0703 3668 mfevtp - ok
15:22:30.0734 3668 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:22:30.0750 3668 mnmdd - ok
15:22:30.0796 3668 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
15:22:30.0812 3668 mnmsrvc - ok
15:22:30.0843 3668 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:22:30.0843 3668 Modem - ok
15:22:30.0875 3668 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:22:30.0875 3668 Mouclass - ok
15:22:30.0921 3668 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:22:30.0937 3668 mouhid - ok
15:22:30.0937 3668 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:22:30.0953 3668 MountMgr - ok
15:22:31.0015 3668 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
15:22:31.0140 3668 MozillaMaintenance - ok
15:22:31.0171 3668 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
15:22:31.0281 3668 mraid35x - ok
15:22:31.0328 3668 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:22:31.0343 3668 MRxDAV - ok
15:22:31.0390 3668 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:22:31.0578 3668 MRxSmb - ok
15:22:31.0625 3668 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
15:22:31.0625 3668 MSDTC - ok
15:22:31.0640 3668 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:22:31.0640 3668 Msfs - ok
15:22:31.0640 3668 MSIServer - ok
15:22:31.0687 3668 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:22:31.0687 3668 MSKSSRV - ok
15:22:31.0687 3668 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:22:31.0703 3668 MSPCLOCK - ok
15:22:31.0703 3668 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:22:31.0703 3668 MSPQM - ok
15:22:31.0750 3668 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:22:31.0750 3668 mssmbios - ok
15:22:31.0781 3668 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:22:31.0843 3668 Mup - ok
15:22:31.0875 3668 mv2 (a0f0b16316276017e682410b5612a707) C:\WINDOWS\system32\DRIVERS\mv2.sys
15:22:31.0984 3668 mv2 - ok
15:22:32.0062 3668 myAgtSvc (180d57ee3eef2c66510429b182d4d534) C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
15:22:32.0281 3668 myAgtSvc - ok
15:22:32.0312 3668 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
15:22:32.0328 3668 napagent - ok
15:22:32.0375 3668 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:22:32.0390 3668 NDIS - ok
15:22:32.0421 3668 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:22:32.0515 3668 NdisTapi - ok
15:22:32.0531 3668 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:22:32.0531 3668 Ndisuio - ok
15:22:32.0546 3668 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:22:32.0562 3668 NdisWan - ok
15:22:32.0593 3668 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:22:32.0656 3668 NDProxy - ok
15:22:32.0703 3668 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:22:32.0703 3668 NetBIOS - ok
15:22:32.0718 3668 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:22:32.0734 3668 NetBT - ok
15:22:32.0781 3668 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:22:32.0781 3668 NetDDE - ok
15:22:32.0781 3668 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:22:32.0781 3668 NetDDEdsdm - ok
15:22:32.0812 3668 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:32.0828 3668 Netlogon - ok
15:22:32.0843 3668 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
15:22:32.0843 3668 Netman - ok
15:22:32.0968 3668 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:22:33.0000 3668 NetTcpPortSharing - ok
15:22:33.0046 3668 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
15:22:33.0046 3668 Nla - ok
15:22:33.0093 3668 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:22:33.0093 3668 Npfs - ok
15:22:33.0125 3668 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:22:33.0171 3668 Ntfs - ok
15:22:33.0171 3668 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:33.0171 3668 NtLmSsp - ok
15:22:33.0234 3668 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
15:22:33.0250 3668 NtmsSvc - ok
15:22:33.0281 3668 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:22:33.0296 3668 Null - ok
15:22:33.0406 3668 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:22:33.0484 3668 nv - ok
15:22:33.0546 3668 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:22:33.0562 3668 NwlnkFlt - ok
15:22:33.0562 3668 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:22:33.0562 3668 NwlnkFwd - ok
15:22:33.0593 3668 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:22:33.0609 3668 Parport - ok
15:22:33.0625 3668 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:22:33.0625 3668 PartMgr - ok
15:22:33.0656 3668 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:22:33.0656 3668 ParVdm - ok
15:22:33.0656 3668 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:22:33.0671 3668 PCI - ok
15:22:33.0671 3668 PCIDump - ok
15:22:33.0687 3668 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:22:33.0687 3668 PCIIde - ok
15:22:33.0718 3668 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:22:33.0734 3668 Pcmcia - ok
15:22:33.0734 3668 PDCOMP - ok
15:22:33.0750 3668 PDFRAME - ok
15:22:33.0750 3668 PDRELI - ok
15:22:33.0750 3668 PDRFRAME - ok
15:22:33.0781 3668 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
15:22:33.0875 3668 perc2 - ok
15:22:33.0890 3668 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
15:22:33.0906 3668 perc2hib - ok
15:22:33.0953 3668 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:22:33.0953 3668 PlugPlay - ok
15:22:33.0968 3668 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:33.0984 3668 PolicyAgent - ok
15:22:34.0015 3668 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:22:34.0015 3668 PptpMiniport - ok
15:22:34.0015 3668 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:34.0015 3668 ProtectedStorage - ok
15:22:34.0031 3668 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:22:34.0031 3668 PSched - ok
15:22:34.0062 3668 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:22:34.0062 3668 Ptilink - ok
15:22:34.0078 3668 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
15:22:34.0078 3668 ql1080 - ok
15:22:34.0093 3668 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
15:22:34.0109 3668 Ql10wnt - ok
15:22:34.0109 3668 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
15:22:34.0125 3668 ql12160 - ok
15:22:34.0125 3668 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
15:22:34.0140 3668 ql1240 - ok
15:22:34.0140 3668 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
15:22:34.0156 3668 ql1280 - ok
15:22:34.0171 3668 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:22:34.0187 3668 RasAcd - ok
15:22:34.0234 3668 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
15:22:34.0234 3668 RasAuto - ok
15:22:34.0265 3668 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:22:34.0265 3668 Rasl2tp - ok
15:22:34.0312 3668 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
15:22:34.0328 3668 RasMan - ok
15:22:34.0328 3668 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:22:34.0343 3668 RasPppoe - ok
15:22:34.0359 3668 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:22:34.0359 3668 Raspti - ok
15:22:34.0406 3668 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:22:34.0421 3668 Rdbss - ok
15:22:34.0421 3668 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:22:34.0437 3668 RDPCDD - ok
15:22:34.0453 3668 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:22:34.0453 3668 rdpdr - ok
15:22:34.0500 3668 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
15:22:34.0734 3668 RDPWD - ok
15:22:34.0796 3668 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
15:22:34.0812 3668 RDSessMgr - ok
15:22:34.0859 3668 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:22:34.0859 3668 redbook - ok
15:22:34.0890 3668 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
15:22:34.0906 3668 RemoteAccess - ok
15:22:34.0937 3668 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
15:22:34.0953 3668 RemoteRegistry - ok
15:22:34.0968 3668 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
15:22:34.0968 3668 RpcLocator - ok
15:22:35.0046 3668 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
15:22:35.0046 3668 RpcSs - ok
15:22:35.0093 3668 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
15:22:35.0109 3668 RSVP - ok
15:22:35.0234 3668 RumorServer (180d57ee3eef2c66510429b182d4d534) C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
15:22:35.0234 3668 RumorServer - ok
15:22:35.0265 3668 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:35.0281 3668 SamSs - ok
15:22:35.0296 3668 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
15:22:35.0312 3668 SCardSvr - ok
15:22:35.0375 3668 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
15:22:35.0375 3668 Schedule - ok
15:22:35.0546 3668 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:22:35.0546 3668 Secdrv - ok
15:22:35.0578 3668 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
15:22:35.0578 3668 seclogon - ok
15:22:35.0640 3668 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
15:22:35.0656 3668 SenFiltService - ok
15:22:35.0718 3668 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
15:22:35.0718 3668 SENS - ok
15:22:35.0765 3668 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:22:35.0781 3668 serenum - ok
15:22:35.0781 3668 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:22:35.0796 3668 Serial - ok
15:22:35.0812 3668 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:22:35.0812 3668 Sfloppy - ok
15:22:35.0875 3668 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
15:22:35.0890 3668 SharedAccess - ok
15:22:35.0937 3668 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:22:35.0937 3668 ShellHWDetection - ok
15:22:35.0953 3668 Simbad - ok
15:22:35.0984 3668 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
15:22:36.0000 3668 sisagp - ok
15:22:36.0031 3668 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
15:22:36.0046 3668 Sparrow - ok
15:22:36.0062 3668 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:22:36.0062 3668 splitter - ok
15:22:36.0109 3668 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
15:22:36.0203 3668 Spooler - ok
15:22:36.0328 3668 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:22:36.0343 3668 sr - ok
15:22:36.0515 3668 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
15:22:36.0562 3668 srservice - ok
15:22:36.0625 3668 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:22:36.0734 3668 Srv - ok
15:22:36.0875 3668 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
15:22:36.0890 3668 SSDPSRV - ok
15:22:36.0921 3668 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
15:22:36.0968 3668 stisvc - ok
15:22:37.0203 3668 SWAGENT (e7b71cf1bbfe78f68b8dbd9114783c7c) C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
15:22:37.0468 3668 SWAGENT - ok
15:22:37.0500 3668 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:22:37.0515 3668 swenum - ok
15:22:37.0578 3668 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:22:37.0609 3668 swmidi - ok
15:22:37.0609 3668 SwPrv - ok
15:22:37.0687 3668 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
15:22:37.0765 3668 symc810 - ok
15:22:37.0828 3668 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
15:22:37.0937 3668 symc8xx - ok
15:22:37.0937 3668 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
15:22:37.0953 3668 sym_hi - ok
15:22:37.0968 3668 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
15:22:38.0109 3668 sym_u3 - ok
15:22:38.0125 3668 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:22:38.0125 3668 sysaudio - ok
15:22:38.0171 3668 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
15:22:38.0203 3668 SysmonLog - ok
15:22:38.0234 3668 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
15:22:38.0250 3668 TapiSrv - ok
15:22:38.0515 3668 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:22:38.0578 3668 Tcpip - ok
15:22:38.0625 3668 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:22:38.0625 3668 TDPIPE - ok
15:22:38.0640 3668 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:22:38.0640 3668 TDTCP - ok
15:22:38.0734 3668 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:22:38.0734 3668 TermDD - ok
15:22:38.0921 3668 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
15:22:38.0968 3668 TermService - ok
15:22:39.0062 3668 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:22:39.0062 3668 Themes - ok
15:22:39.0109 3668 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
15:22:39.0125 3668 TlntSvr - ok
15:22:39.0203 3668 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
15:22:39.0218 3668 TosIde - ok
15:22:39.0328 3668 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
15:22:39.0328 3668 TrkWks - ok
15:22:39.0437 3668 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:22:39.0453 3668 Udfs - ok
15:22:39.0468 3668 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
15:22:39.0546 3668 ultra - ok
15:22:39.0718 3668 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:22:39.0750 3668 Update - ok
15:22:39.0796 3668 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
15:22:39.0859 3668 upnphost - ok
15:22:39.0890 3668 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
15:22:39.0890 3668 UPS - ok
15:22:39.0968 3668 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:22:39.0968 3668 usbehci - ok
15:22:40.0203 3668 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:22:40.0218 3668 usbhub - ok
15:22:40.0281 3668 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:22:40.0281 3668 USBSTOR - ok
15:22:40.0375 3668 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:22:40.0375 3668 usbuhci - ok
15:22:40.0656 3668 uvnc_service (d4362345c824d890099844219cede56e) C:\Program Files\UltraVNC\winvnc.exe
15:22:40.0828 3668 uvnc_service - ok
15:22:41.0578 3668 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:22:41.0578 3668 VgaSave - ok
15:22:41.0671 3668 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
15:22:41.0687 3668 viaagp - ok
15:22:41.0703 3668 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
15:22:41.0718 3668 ViaIde - ok
15:22:41.0750 3668 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:22:41.0750 3668 VolSnap - ok
15:22:42.0062 3668 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
15:22:42.0093 3668 VSS - ok
15:22:42.0125 3668 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
15:22:42.0140 3668 w32time - ok
15:22:42.0156 3668 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:22:42.0156 3668 Wanarp - ok
15:22:42.0156 3668 WDICA - ok
15:22:42.0187 3668 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:22:42.0187 3668 wdmaud - ok
15:22:42.0203 3668 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
15:22:42.0218 3668 WebClient - ok
15:22:42.0250 3668 wfxsvc (efacce8deb789de9a0ec8655ca3075da) C:\WINDOWS\system32\WFXSVC.EXE
15:22:42.0375 3668 wfxsvc - ok
15:22:42.0453 3668 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
15:22:42.0468 3668 winmgmt - ok
15:22:42.0562 3668 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
15:22:42.0750 3668 WinRM - ok
15:22:42.0781 3668 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
15:22:42.0796 3668 WmdmPmSN - ok
15:22:42.0843 3668 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
15:22:42.0859 3668 Wmi - ok
15:22:42.0953 3668 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:22:42.0953 3668 WmiApSrv - ok
15:22:43.0109 3668 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
15:22:43.0156 3668 WMPNetworkSvc - ok
15:22:43.0328 3668 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:22:43.0515 3668 WPFFontCache_v0400 - ok
15:22:43.0609 3668 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
15:22:43.0609 3668 wscsvc - ok
15:22:43.0625 3668 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
15:22:43.0625 3668 wuauserv - ok
15:22:43.0671 3668 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:22:43.0671 3668 WudfPf - ok
15:22:43.0687 3668 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:22:43.0687 3668 WudfRd - ok
15:22:43.0703 3668 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
15:22:43.0718 3668 WudfSvc - ok
15:22:43.0765 3668 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
15:22:43.0796 3668 WZCSVC - ok
15:22:43.0812 3668 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
15:22:43.0828 3668 xmlprov - ok
15:22:43.0859 3668 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:22:44.0250 3668 \Device\Harddisk0\DR0 - ok
15:22:44.0250 3668 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
15:22:46.0500 3668 \Device\Harddisk1\DR3 - ok
15:22:46.0500 3668 Boot (0x1200) (8a6fb1ff57cea73e06dfcbdb66faf0f6) \Device\Harddisk0\DR0\Partition0
15:22:46.0500 3668 \Device\Harddisk0\DR0\Partition0 - ok
15:22:46.0500 3668 Boot (0x1200) (9a1ca85a34b7e4194fe06d8bcc9af728) \Device\Harddisk1\DR3\Partition0
15:22:46.0515 3668 \Device\Harddisk1\DR3\Partition0 - ok
15:22:46.0515 3668 ============================================================
15:22:46.0515 3668 Scan finished
15:22:46.0515 3668 ============================================================
15:22:46.0515 3660 Detected object count: 0
15:22:46.0515 3660 Actual detected object count: 0


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-26 15:24:46
-----------------------------
15:24:46.796 OS Version: Windows 5.1.2600 Service Pack 3
15:24:46.796 Number of processors: 2 586 0xF0D
15:24:46.796 ComputerName: PCTRAVEL20 UserName: AdminHSI
15:24:47.000 Initialize success
15:27:33.451 AVAST engine defs: 12062601
15:28:24.022 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:28:24.022 Disk 0 Vendor: ST380815 4.AD Size: 76293MB BusType: 3
15:28:24.022 Disk 0 MBR read successfully
15:28:24.022 Disk 0 MBR scan
15:28:24.105 Disk 0 Windows XP default MBR code
15:28:24.121 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
15:28:24.155 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76238 MB offset 96390
15:28:24.171 Disk 0 scanning sectors +156232125
15:28:24.287 Disk 0 scanning C:\WINDOWS\system32\drivers
15:28:41.634 Service scanning
15:29:08.960 Modules scanning
15:29:12.958 Disk 0 trace - called modules:
15:29:12.975 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
15:29:12.975 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6fe9c0]
15:29:12.991 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a69d030]
15:29:13.355 AVAST engine scan C:\WINDOWS
15:29:18.129 AVAST engine scan C:\WINDOWS\system32
15:33:03.603 AVAST engine scan C:\WINDOWS\system32\drivers
15:33:21.449 AVAST engine scan C:\Documents and Settings\Administrator
15:34:34.967 AVAST engine scan C:\Documents and Settings\All Users
15:34:54.631 Scan finished successfully
15:54:28.206 Disk 0 MBR has been saved successfully to "E:\PCTRAVEL20\MBR.dat"
15:54:28.253 The log file has been saved successfully to "E:\PCTRAVEL20\aswMBR.txt"

#5 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 26 June 2012 - 06:03 PM

Forgot ta attached MBR.zip

Attached Files

  • Attached File  MBR.zip   511bytes   0 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,901 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 AM

Posted 27 June 2012 - 07:53 AM

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
*/*

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

Restart the computer normally.

If still having the issue please run ComboFix and post the log.
You may be asked to update, please do it.

#7 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 27 June 2012 - 12:36 PM

Flushed the DNS, inserted the registry keys, rebooted, search redirects still occuring and now the sites that are being redirected are getting flagged by OpenDNS as attack sites. Running Combofix and will post the logs as soon as they are ready.

#8 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 27 June 2012 - 01:17 PM

Here is the Combofix Log. After running combofix the redirects have stopped. I tested extensively to verify the were not coming back and in 15 minutes of clicking google search links never got one of the redirects. I've VERY curious what this piece of malware is.

ComboFix 12-06-27.01 - AdminHSI 06/27/2012 10:35:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1537 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee® Security-as-a-Service Anti-virus *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\JeanniferB\GoToAssistDownloadHelper.exe
c:\documents and settings\JeanniferB\My Documents\~WRL1518.tmp
c:\documents and settings\JeanniferB\My Documents\~WRL1992.tmp
c:\documents and settings\JeanniferB\My Documents\~WRL2704.tmp
c:\documents and settings\JeanniferB\My Documents\~WRL3900.tmp
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 )))))))))))))))))))))))))))))))
.
.
2012-06-26 22:50 . 2012-06-26 22:50 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-22 11:15 . 2012-06-22 11:15 -------- d-----w- c:\documents and settings\COMUser
2012-06-21 21:27 . 2012-06-21 21:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-06-21 21:26 . 2012-06-21 21:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-06-21 21:18 . 2012-06-21 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sun
2012-06-21 21:13 . 2012-06-21 21:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-06-21 21:13 . 2012-06-21 21:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-06-06 02:11 . 2012-06-06 02:11 -------- d-----w- c:\documents and settings\JeanniferB\Application Data\StoneTrip
2012-06-06 02:11 . 2012-06-06 02:11 -------- d-----w- c:\documents and settings\JeanniferB\LocalLow
2012-06-05 23:39 . 2012-06-05 23:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-26 22:50 . 2012-04-05 15:08 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-26 22:50 . 2011-05-20 02:16 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 16:43 . 2012-05-12 16:43 16339280 ----a-w- C:\Firefox Setup 12.0.exe
2012-04-11 13:14 . 2004-08-11 23:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-11 23:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 04:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-05 01:47 . 2008-02-19 20:12 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 01:47 . 2012-05-25 20:40 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-04 22:56 . 2012-05-24 22:29 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 01:19 . 2012-05-15 21:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2011-12-06 476736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-02-15 43008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-28 18:47 13672 ----a-w- c:\program files\Citrix\GoToAssist\800\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59152:UDP"= 59152:UDP:SonicWALL Anti-Virus Compliance Port 59152
"59153:UDP"= 59153:UDP:SonicWALL Anti-Virus Compliance Port 59153
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/19/2011 10:18 AM 89792]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 1:30 PM 79168]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/1/2011 4:58 PM 150856]
R2 SWAGENT;SonicWALL Agent Service;c:\program files\McAfee\Managed VirusScan\Agent\swAgent.exe [2/19/2008 3:40 PM 190016]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [11/7/2009 10:13 PM 1581512]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2/19/2008 3:38 PM 291328]
S2 RumorServer;McAfee Peer Distribution Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2/19/2008 3:38 PM 291328]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 8:08 AM 250056]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/19/2011 10:18 AM 87656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/15/2012 2:01 PM 129976]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [11/17/2009 11:25 AM 10688]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 22:50]
.
2012-06-27 c:\windows\Tasks\tcjlr.job
- c:\windows\system32\zh-TW0.dll [2012-05-11 16:06]
.
2012-06-27 c:\windows\Tasks\User_Feed_Synchronization-{574B0A27-7210-4935-A3CB-9F27E81F20FA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080201
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: amadeus.com\content
Trusted Zone: amadeus.net\content.1a
Trusted Zone: amadeusproweb.com
Trusted Zone: amadeusvista.com\Muc.http.farm6.software
Trusted Zone: amadeusvista.com\Muc.http.farm8.software
Trusted Zone: amadeusvista.com\Muc.https.farm11.software
Trusted Zone: amadeusvista.com\Muc.https.farm5.software
TCP: DhcpNameServer = 192.168.0.8 192.168.0.3
DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} - hxxp://diagnostic.amadeus.com/TravelAgencies/Cabs/DS_Diagnostic.cab
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} - hxxp://diagnostic.amadeus.com/TravelAgencies/Cabs/CCCert_Info.CAB
DPF: {F96020DD-C373-44A0-82B6-064EF0AEEAE3} - hxxp://certificates.amadeusvista.com/sgwadmin/RegSiteTools.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y9lt8rl9.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-27 10:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3214463903-3371966352-1049364195-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,1f,ed,38,26,e1,8b,49,8f,81,21,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,1f,ed,38,26,e1,8b,49,8f,81,21,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\Citrix\GoToAssist\800\G2AWinLogon.dll
.
Completion time: 2012-06-27 10:39:45
ComboFix-quarantined-files.txt 2012-06-27 17:39
.
Pre-Run: 61,179,629,568 bytes free
Post-Run: 62,100,037,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 074A9C5986E756FA9A4CC4F92981A2F9

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,901 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 AM

Posted 27 June 2012 - 01:36 PM

Looking good.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#10 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 27 June 2012 - 01:42 PM

Checkup.txt


Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
M
c
A
f
e
®
ECHO is off.
S
e
c
u
r
i
t
y
a
s
a
S
e
r
v
i
c
e
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
JavaFX 2.1.0
Java™ 6 Update 24
Java™ 7 Update 4
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java version out of Date!
Adobe Flash Player 11.3.300.262
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader X (10.1.1)
Mozilla Firefox 12.0 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
McAfee Managed VirusScan DesktopUI XTray.exe
McAfee Managed VirusScan Agent swAgent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 12% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,901 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 AM

Posted 28 June 2012 - 06:50 AM

Remove these old versions of Java using the Add/Remove programs list.

Java™ 6 Update 24
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

You can take care of the other red flags when time permits.
===

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#12 Vector23

Vector23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 28 June 2012 - 03:43 PM

Were we able to find out what this malware was from the logs? My higher ups are going to want to know the extent of what this package was doing as it was on a PC that had access to sensitive data?

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,901 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 AM

Posted 29 June 2012 - 07:30 AM

From what we know the Redirects are used mostly to advertise products.

What is captured if any is not possible to find out.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,901 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:45 AM

Posted 05 July 2012 - 08:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users